CyberwarfareUkrainian computer systems attacked by sophisticated malware with "Russian roots"

Published 10 March 2014

Ukrainian computer systems and networks have been targeted by at least twenty-two attacks launched by “committed and well-funded professionals” since January 2013, defense contractor BAE Systems found. BAE declined to identify the source of the attacks, but a German company said the espionage software has “Russian roots.” The malware design “suggests that attackers possess an arsenal of infiltration tools and bears all the hallmarks of a highly sophisticated cyber operation,” the BAE report said.

Ukraine obliquely accuses Russia of releasing malware // Source: mohammediapresse.com

Ukrainian computer systems and networks have been targeted by at least twenty-two attacks launched by “committed and well-funded professionals” since January 2013, defense contractor BAE Systems found.

The Guardian reports that BAE declined to identify the source of the attacks, but that a German company said the espionage software has “Russian roots.”

The report from BAE’s Applied Intelligence unit said that the hackers used “snake” malware which allowed them to gain control of the computer systems of large Ukrainian organizations and steal information.

Snake’s design “suggests that attackers possess an arsenal of infiltration tools and bears all the hallmarks of a highly sophisticated cyber operation,” the BAE report said.

The report does not explicitly say the attacks originated in Russia, but it did note that there were indications – such as words in Russian left in the code, and the fact that the attack originated in Moscow’s time zone – which offer a clue as to the attacks’ source.

Bochum, Germany-based security company G Data Software said that a variant of the snake software known as Uroburos has “Russian roots.” There are “strong indications” that the group behind Uroburos, the Greek word for an ancient symbol that shows a serpent eating its own tale, is the same one that attacked U.S. military bases in 2008 with malware known as Agent.BTZ, G Data said.

Notable hints include the usage of the exact same encryption key then and now, as well as the presence of Russian language in both cases,” the G Data report notes.

American intelligence officials told the New York Times that it was unclear whether the use of the malware was state-sponsored, and that Snake was just one of many types of malware that Ukraine is battling every day.

The BAE report is highly technical, aiming to help system operators thwart the attacks.

The Guardian notes that Ukraine was the most frequently targeted by Snake malware, but that other countries have been attacked, too. The BAE report identified fifty-six attacks which took place since 2010. Thirty-two were directed at Ukraine and eleven at Lithuania. The United Kingdom was subject to four attacks, with two each directed at the United States, Georgia, and Belgium.

In all, there were fourteen cases of Snake in Ukraine since the start of 2014, compared to eight cases in the whole of 2013.

Whilst this view is likely to only be the tip of the iceberg, it does give us an initial insight into the profile of targets for the Snake Operations,” the BAE report said.

Martin Sutherland, the managing director of BAE Systems Applied Intelligence, said the attack described in the report raises the bar in terms of what potential targets and security officials need to do to keep ahead of cyberattackers.

What this research once more demonstrates is how organized and well-funded adversaries are using highly sophisticated tools and techniques to target legitimate organizations on a massive scale,” he said in a statement. “Although there has been some awareness of the Snake malware for some years, until now the full scale of its capabilities could not be revealed, and the threat it presents is clearly something that needs to be taken much more seriously.”

“The usual Russian approach would be to design something that could both conduct surveillance and aid in an attack,” one senior intelligence official told the Times when describing how the National Security Agency and the Pentagon’s Cyber Command were on the lookout for the kind of computer attacks that were unleashed on Estonia seven years ago.